Framework for coordination between endpoint security and network security services

ABSTRACT

Systems and techniques are described for virtual machine security. A described technique includes operating one or more virtual machines each in accordance with a respective security container, wherein the respective security container is associated with a respective rule that specifies transfer of the virtual machine from the respective security container to a quarantine container based on one or more criteria. One or more security services are operated on the one or more virtual machines to identify one or more security threats associated with one or more of the virtual machines. One or more tags generated by the endpoint security services are obtained, where each tag is for a virtual machine that is associated with one of the identified security threats. And one of the virtual machines is identified as requiring transfer to the quarantine container based on, at least, one or more of the obtained tags and the one or more criteria.

BACKGROUND

This document relates to virtual machines and security services.

A virtual machine is a software-based abstraction of a physical computersystem. In general, any computer program that can be executed on aphysical computer system can be executed in a virtual machine usingvirtualization software. Virtualization software is software that islogically interposed and interfaces with a virtual machine and aphysical computer system. Each virtual machine is configured to executean operating system, referred to herein as a guest OS, and applications.A physical computer system, referred to herein as a host machine, canexecute one or more virtual machines.

A virtual machine can be accessed locally or remotely, through a networkconnection. For example, it is possible to use a remote desktop clientto access a virtual machine remotely. A remote desktop client is acomputer program that communicates user interface information with aremote computer system. Generally, the user interface informationincludes display data, which is received from the remote computer systemand displayed on the computer local to the user, and sends keyboard andmouse inputs generated by the user to the remote computer system. Inthis way, applications executing remotely from the user can be accessedand interacted with by the user.

Further, applications and operating systems, regardless of executing ona virtual machine or directly on a host machine, are still vulnerable toprograms or codes, such as a virus or a worm, that surreptitiouslyenters a computer environment. Viruses often replicate themselves, orcause themselves to be replicated, thereby consuming excessive amountsof computer resources, and causing degradation or disruption of computeroperation. A “worm” can be defined as a virus that automaticallyattaches itself to outgoing email or other network messages. Someviruses erase or corrupt disk files, or require that a hard disk beentirely reformatted. A virus may wreak its havoc immediately uponentering a computer environment, or may lie dormant until circumstancescause their code to be executed by the host computer. Regardless as tothe potential damage that can be caused by a particular virus, allviruses are generally considered malicious, should be prevented frominfecting a system, and should be removed if discovered. For presentpurposes, the term “virus” will refer to any such malicious code.

The threat of viruses is particularly acute in a networked environment,where a computer on the network is accessible to viruses of varyingdegrees of sophistication and severity created by legions of hackers.These viruses may surreptitiously enter the computer environment througha variety of mechanisms, for example, as attachments to emails or asdownloaded files, or through a service program listening to a networkport. Various examples of antivirus software include system scannersthat scan a complete disk drive and memory system for malicious code,and “on-access” scanners that scan a file when it is requested by theoperating system. Other types of antivirus software are possible.

SUMMARY

In general, one aspect of the subject matter described in this documentcan be embodied in a technique that includes operating one or morevirtual machines each in accordance with a respective securitycontainer, wherein the respective security container is associated witha respective rule that specifies transfer of the virtual machine fromthe respective security container to a quarantine container based on oneor more criteria; operating one or more endpoint security services onthe one or more virtual machines to identify one or more securitythreats associated with one or more of the virtual machines; obtainingone or more tags generated by the one or more security services whereineach tag is for a virtual machine that is associated with one of theidentified security threats; identifying one of the virtual machinesthat requires transfer to the quarantine container based on, at least,one or more of the obtained tags and one or more of the criteria; andtransferring the identified virtual machine to the quarantine container.Other embodiments of this aspect include corresponding systems,apparatus, and computer software encoded on a non-transitory machinereadable storage medium.

These and other aspects can optionally include one or more of thefollowing features. Security services can include antivirus scanners,data loss prevention (DLP), file integrity monitoring, rootkit detector,vulnerability management, network firewalls, web security controls, andintrusion detection/prevention systems. A security threat can beresolved to remove a tag that caused the identified virtual machine tobe transferred to the quarantine container from the respective securitycontainer of the identified virtual machine; and the identified virtualmachine can be transferred from the quarantine container to therespective security container of the identified virtual machine. A userinterface can be provided to create and configure the one or morerespective security containers, wherein the user interface is configuredto create one or more tag-based rules for each of the one or morerespective security containers. Each tag can comprise a virtual machineidentifier, a tag label, and a tag value. The respective rule canspecify a threat level threshold, and wherein identifying the virtualmachine comprises comparing a tag value with the threat level threshold.The one or more endpoint security services can include one or more of anantivirus scanner configured to generate tags in accordance with a knowntag format, a vulnerability management mechanism configured to generatetags in accordance with the known tag format, or a data loss preventionmechanism configured to generate tags in accordance with the known tagformat. Operating the one or more virtual machines can comprise:detecting a user membership group in response to a virtual machine loginevent; selecting a respective security container based on the usermembership group; and assigning a virtual machine associated with thevirtual machine login event to the selected security container. The oneor more respective security containers can comprise: a first securitycontainer associated with a first rule that specifies transfer of avirtual machine from the first security container to a first quarantinecontainer based on one or more first criteria; and a second securitycontainer associated with a second rule that specifies transfer of avirtual machine from the second security container to a secondquarantine container based on one or more second criteria.Implementations can include operating a tag communication layer toreceive the one or more tags from the one or more security services, thetag communication layer being agnostic to the one or more endpointsecurity services. Implementations can include operating a networkfirewall in accordance with the quarantine container to restrict networkconnectivity of the identified virtual machine.

Particular embodiments of the subject matter described in this documentcan be implemented so as to realize one or more of the followingadvantages. Providing a framework for security services to tag virtualmachines can enable rapid and automatic transferring of a tagged virtualmachine to a different, more stringent container such as a quarantinecontainer. Once a virus has been detected on a virtual machine, it isadvantageous to minimize the time that a virtual machine spends outsideof a quarantine container as to prevent the spread or impact of thevirus on unaffected systems, prevent the leakage of sensitiveinformation, or both.

The details of one or more embodiments of the subject matter describedin this document are set forth in the accompanying drawings and thedescription below. Other features, aspects, and advantages of thesubject matter will become apparent from the description, the drawings,and the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows an example of virtual machines being assigned to securitycontainers and the transfer of a virtual machine between securitycontainers.

FIG. 2 shows an architecture for an example of a system that isconfigured to execute virtual machines.

FIG. 3 shows an architecture for an example of a security framework thatincludes a security manager.

FIG. 4 shows a flowchart for an example of a security process.

FIG. 5 shows a flowchart for another example of a security process.

FIG. 6 shows a flowchart for another example of a security process.

Like reference numbers and designations in the various drawings indicatelike elements.

DETAILED DESCRIPTION

This document describes a framework to achieve synergistic orchestrationamong different endpoint security (e.g., antivirus software) and networksecurity services (e.g., network firewalls). Such a framework can enablerapid and automatic responses to breaches of a security policy within avirtual machine environment, while enabling the customer to select thebest of breed in endpoint and network security services, including thoseservices by different vendors.

FIG. 1 shows an example of virtual machines being assigned to securitycontainers and the transfer of a virtual machine between securitycontainers. A physical machine such as a data processing apparatus canexecute virtual machines 110 a-d in accordance with respectivelyassigned security containers 105 a-c. The security containers 105 a-care operating environments for virtual machines that can specifypolicies such as firewall settings 115 a-c, operational settings for oneor more security services, and tag-based rules 120 a-c. In someimplementations, the security containers 105 a-c are associated withrespective firewall settings 115 a-c that have different allowed levelsof network connectivity. In this example, a first security container 105a is associated with a firewall setting 115 a that specifies fullnetwork access, whereas a second security container 105 b is associatedwith a firewall setting 115 b that specifies restricted network access.A quarantine container 105 c can be associated with a firewall setting115 c that specifies no network access, for example. A tag-based rule120 a-b can specify a transfer 130 to the quarantine container 105 cbased on one or more criteria such as criteria based on security tagsprovided by one or more security services. A security tag can representa security determination generated by a security service's review of avirtual machine 110 a-d. In some cases, a rule 120 c can specify atransfer 130 out of the quarantine container 105 c once a tag is clearedby a security service.

FIG. 2 shows an architecture for an example of a system 201 that isconfigured to execute virtual machines. In the system 201, a physicalmachine 230 can be configured to execute virtual machines 110 a-e usinga hypervisor 220. Computer terminals 240 a-b can access the virtualmachines 110 a-e using a network 235. In some implementations, thesystem 201 can be configured to provide a virtual desktop infrastructure(VDI) via computer terminals 240 a-b. A VDI allows computeradministrators to host and administer user desktops on virtualinfrastructure, e.g., VDI gives each user an independent virtual machinefor desktop computing. In some implementations, the computer terminals240 a-b are configured to provide a physical front-end to a virtualmachine 110 a-e by using a remote desktop protocol. Various examples ofcomputer terminals 240 a-b include client access devices such as PCs,thin clients, zero clients. Other types of terminals are possible.

Some virtual machines 110 a-d can each be assigned to one of thesecurity containers 105 a-c, while one or more other virtual machines110 e, referred to as security virtual machines, can be configured toprovide endpoint security services, network security services, or bothfor the virtual machines 110 a-d. For example, the security virtualmachine 110 e can execute an endpoint security service such as anantivirus scanner that scans the other virtual machines 110 a-d forsecurity threats such as viruses. In some implementations, an antivirusscanner can interact with thin agents running on the virtual machines110 a-d to perform scans of the virtual machines' memory, persistentstorage, and network communications, for example. In furtherimplementations, an antivirus scanner on the security virtual machine110 a can scan the other virtual machines 110 a-d autonomously. In otherimplementations, the hypervisor 220 can perform one or more networksecurity services such as operating a network firewall.

FIG. 3 shows an architecture for an example of a security framework thatincludes a security manager 310. A virtual infrastructure can deploysecurity services 305 a-d that include endpoint security services 305a-b and network security services 305 c-d. Various examples of endpointsecurity services 305 a-b include antivirus scanners, data lossprevention (DLP), file integrity monitoring, rootkit detector, andvulnerability management. Other types of examples are possible. Variousexamples of network security services 305 c-d include network firewalls,web security controls, and intrusion detection/prevention systems. Othertypes of examples are possible.

The security manager 310 can interact with the security services 305 a-dbased on security containers. The security manager 310 can provide auser interface for creating and configuring security containers. Asecurity container can specify or more security services to be executedon a virtual machine assigned to the container. One or more rules can beassociated with each security container. Such rules can be stored in asecurity container specifications database 320. In some implementations,a rule can specify an action (e.g., move to quarantine container) basedon an outcome of a security scan. Further, configuration information forone or more of the services 305 a-d can be stored in a securitycontainer specifications database 320. Configuration information can bespecified for each security service and can include parameters such as aname of a security service, a location of an executable corresponding tothe security service, or security settings. Other types of parametersare possible. For example, configuration information for an antivirussecurity service can include scan frequency and scan type. In someimplementations, the security manager 310 can operate the securityservices 305 a-d based on the configuration information specified by asecurity container. The security manager 310 can assign a virtualmachine to a security container; such assignments be stored in a virtualmachine security container assignment database 325.

One or more of the security services 305 a-d can assign a tag to avirtual machine based on an outcome of a security scan, a securityevent, or both. The security manager 310 can provide a tag communicationlayer to receive tags from one or more of the security services 305 a-dand distribute tags to components such as a virtual machine tag checker330. In some implementations, tag information can include a virtualmachine identifier, a tag name, and a tag value. Other types of taginformation are possible. In some implementations, a tag can becommunicated to the tag communication layer using an Extensible MarkupLanguage (XML). The virtual machine tag checker 330 can access tagsgenerated by the security services 305 a-d and compare them with one ormore criteria specified by a rule of a security container. Based onsatisfying the one or more criteria, an action associated with the rulecan be automatically executed.

FIG. 4 shows a flowchart for an example of a security process asimplemented by one or more data processing apparatus. At 405, theprocess deploys security services on virtual machines (VMs). In someimplementations, deploying security services can include installingsecurity software such as an antivirus scanner. At 410, the processregisters the security services. Registering a security service caninclude configuring a security manager to operate a security service.Registering a security service can include configuring a securitymanager to recognize tags generated by a security service.

At 415, the process provides a user interface (UI) to create andconfigure security containers and tag-based rules for the containers.Providing a UI can include displaying a graphical user interface (GUI).Providing a UI can include providing a command line interface (CLI). Insome implementations, the UI can be designed to specify differentservice configuration options for different security containers. Forexample, one security container may have a hourly antivirus scanrequirement, whereas another security container may have a daily orweekly antivirus scan requirement.

At 420, the process assigns VMs to one or more of the securitycontainers. In some implementations, the UI can further provide aninterface for assigning a virtual machine to a security container. Insome implementations, assignment of a VM to a security container isperformed dynamically in response to a login event. For example,assignment can be based on a user-identity or a user-group identity of auser associated with the login event.

At 425, the process applies the security services via the securitycontainers. Applying the security services via the security containerscan include accessing and using one or more service configurationoptions based on what is required by a security container. At 430, theprocess operates the security services on the VMs to detect securitythreats. In some implementations, the security manager can cause asecurity service to perform a scan of a virtual machine at periodic timeintervals in accordance with a requirement of a security container. At435, the process selectively assigns tags to the VMs based onrespectively detected security threats. For example, a security servicecan output a tag based on a detection of a threat such as a virus or amisconfiguration that creates a vulnerability. Various examples of a taginclude text-based labels such as “virus.threat=detected”,“malware.threat=high”, or “dlp.violation=HIPAA”. Other types of labelsare possible, for example a tag can be represented in a binary formatrather than a text format. In some implementations, a tag can include anindustry standard vulnerability score such as a Common VulnerabilityScoring System (CVSS) score, for example, “CVSS=9.7”. At 440, theprocess selectively changes the security container assignment of a VMbased on an assigned tag and a tag-based rule. For example, a securitycontainer may specify that any assigned VM having a CVSS score of 7 orgreater be transferred to a quarantine container that blocks networkaccess.

FIG. 5 shows a flowchart for another example of a security process ascan be implemented by one or more data processing apparatus. At 505, theprocess creates one or more security containers having a rule thatspecifies a transfer to a quarantine container based on one or morecriteria. Various examples of criteria include a threat level thresholdcriterion, vulnerability criterion, file integrity criterion, rootkitdetection criterion. Other types of criteria are possible. A rule, forexample, can specify a threat level threshold criterion, that if met orexceeded, would trigger a transfer. Another rule, for example, canspecify a rootkit detection criterion, that if met, e.g., a rootkit wasdetected, would trigger a transfer. Operating the one or more virtualmachines can include detecting a user membership group in response to avirtual machine login event, selecting a security container based on theuser membership group, and assigning a virtual machine associated withthe virtual machine login event to the selected security container.

At 510, the process operates one or more virtual machines in accordancewith the one or more security containers. At 515, the process operatesone or more endpoint security services on the virtual machines toidentify one or more security threats and assign one or more tags to oneor more of the one or more virtual machines. Operating one or moreendpoint security services can include causing a service to send a tagto a tag communication layer.

At 520, the process operates a tag communication layer to receive theone or more tags from the one or more endpoint security services, thetag communication layer being agnostic to or independent of the one ormore endpoint security services. Such an agnostic tag communicationlayer can enable security services from the same or different vendors toaccess the tag communication layer and enable inter-service coordinationvia a security manager. Further, the tag communication layer can employa known tag format such that the endpoint security services provide tagsin accordance with the known tag format. In some implementations,operating the tag communication layer includes receiving a tag thatincludes a virtual machine identifier, a tag label, and a tag value. Insome implementations, operating the tag communication layer includesreceiving a data packet containing a tag from a security service.Operating the tag communication layer can include storing tags producedby an endpoint security service. In some implementations, the tagcommunication layer is based on a publish/subscribe model where asecurity service publishes tags to a middleware engine and a tag checkersubscribes to the middleware engine to receive the tags.

At 525, the process identifies a virtual machine that requires atransfer to the quarantine container under the rule using the one ormore tags and the one or more criteria. Identifying a virtual machinethat requires a transfer can include retrieving a tag from a tagdatabase. Identifying a virtual machine that requires a transfer caninclude retrieving tag data stored in one or more memory locations via atag communication layer. Identifying a virtual machine that requires atransfer can include comparing accessed virtual machine tags with one ormore rules of a corresponding security container. The process caninclude transferring the identified virtual machine to the quarantinecontainer. Transferring the identified virtual machine can includeupdating a security container assignment data entry. Transferring theidentified virtual machine can include adding a virtual machineidentifier to a list of virtual machines assigned to a securitycontainer. At 530, the process operates a network firewall in accordancewith the quarantine container to restrict network connectivity of theidentified virtual machine.

FIG. 6 shows a flowchart for another example of a security process. At605, the process accesses a tag generated by an endpoint securityservice for a virtual machine assigned to a first security container. At610, the process determines whether the first security containerrequires a transfer of the virtual machine to a second securitycontainer based on the tag. If a transfer is not required, the processcontinues to operate the virtual machine in accordance with the firstsecurity container at 630. If a transfer is required, the processtransfers the virtual machine to the second security container at 615.At 620, the process operates the virtual machine in accordance with thesecond security container. At 625, the process resolves security threatto remove the tag and transfer back to the first security container.Resolving the security threat can include removing virus-infected files,applying software updates, or terminating vulnerable processes/software.Resolving the security threat can include re-executing a securityservice and determining whether to remove the tag based on adetermination of the security service. At 630, the process operates thevirtual machine in accordance with the first security container.

One or more of the security processes described herein can be employedin the following example. In a typical hospital datacenter, anadministrator can deploy endpoint security solutions such as ananti-virus product, a DLP product, a vulnerability management product,and network security services such as a firewall product, a web securitycontrol product through the security manager. The administrator can usea security manager's GUI to create user membership groups for differenthospital employees such as a doctor user group and a nurse user group.Further, the administrator can use the GUI to create security containersfor each of the user membership groups. In addition, the administratorcan also create a group, and security container, for patient medicalrecord servers. The administrator can use the GUI to create rules forthe security containers based on security policies. For example, thehospital's board might mandate the following security policies:

Security Policy 1. Doctors are allowed outside access to the Internetbut they need to be subject to web security controls (e.g., not allowedto browse to websites classified by the board as “Restricted”);

Security Policy 2. Nurses are not allowed external internet access;

Security Policy 3. Doctors and Nurses machines need to be scanned withan antivirus service on a daily basis;

Security Policy 4. Any machine diagnosed with a virus or known malwarerisk level higher than “Medium” must be quarantined with no networkaccess;

Security Policy 5. Doctors and Nurses machines need to be scanned with aDLP service on a weekly basis for HIPAA policy violations (e.g., thesemachines must not permanently store confidential patient data);

Security Policy 6. If confidential patient data exists on a machine, themachine needs to be quarantined with no network access to the outsideworld and the data needs to be removed;

Security Policy 7. Medical staff can access patient medical recordservers to access patient data but non-medical staff cannot;

Security Policy 8. All machines will be scanned for vulnerabilities on aweekly basis through a vulnerability management service; and

Security Policy 9. Machines with vulnerabilities with CVSS scores higherthan 8 must be quarantined.

In order to comply with the aforementioned mandated security policies,the administrator may use the security manager's GUI to perform thefollowing:

a) Assign a web security control security service to the “Doctors”security container (addresses Security Policy 1),

b) Assign a network firewall service with a policy to block access toexternal websites to the “Nurses” security container (addresses SecurityPolicy 2),

c) Assign endpoint security antivirus service to the “Doctors” securitycontainer and the “Nurses” security container with a daily scanfrequency (addresses Security Policy 3),

d) Assign endpoint security DLP service to the “Doctors” securitycontainer and the “Nurses” security container such that the DLP servicescans for HIPAA violations on a weekly basis (addresses Security Policy5),

e) Assign a network firewall service with a policy to allow access tothe patient medical record servers to the “Doctors” security containerand the “Nurses” security container (addresses Security Policy 7),

f) Assign a network firewall service with a policy to block access topatient medical record servers to security containers associated withnon-medical staff (addresses Security Policy 7),

g) Assign endpoint security vulnerability management service to allcontainers and set the scan frequency to be weekly (addresses SecurityPolicy 8),

h) Assign tag-based rules to the security containers such that a virtualmachine tagged with a “medium” or higher threat level is to betransferred to a quarantine container (addresses Security Policy 4),

i) Assign tag-based rules to the security containers such that a virtualmachine tagged with a DLP violation is to be transferred to a quarantinecontainer (addresses Security Policy 6), and

j) Assign tag-based rules to the security containers such that a virtualmachine tagged with a CVSS score higher than 8 is to be transferred to aquarantine container (addresses Security Policy 9).

Based on input received via the GUI, the security manager can output oneor more configuration files that capture the assigned services andtag-based rules. In some implementations, the configuration files can beformatted based on a text-based format such as XML or a binary format.In addition, the security manager can maintain one or more log filesthat identifies virtual machines and associated events, such as tagassignment or rule-based actions such as a transfer to a quarantinecontainer.

Embodiments of the subject matter and the operations described in thisdocument can be implemented in digital electronic circuitry, or incomputer software, firmware, or hardware, including the structuresdisclosed in this document and their structural equivalents, or incombinations of one or more of them. Embodiments of the subject matterdescribed in this document can be implemented as one or more computerprograms, i.e., one or more modules of computer program instructions,encoded on computer storage medium for execution by, or to control theoperation of, data processing apparatus. Alternatively or in addition,the program instructions can be encoded on an artificially-generatedpropagated signal, e.g., a machine-generated electrical, optical, orelectromagnetic signal, that is generated to encode information fortransmission to suitable receiver apparatus for execution by a dataprocessing apparatus. A computer storage medium can be, or be includedin, a computer-readable storage device, a computer-readable storagesubstrate, a random or serial access memory array or device, or acombination of one or more of them. Moreover, while a computer storagemedium is not a propagated signal, a computer storage medium can be asource or destination of computer program instructions encoded in anartificially-generated propagated signal. The computer storage mediumcan also be, or be included in, one or more separate physical componentsor media (e.g., multiple CDs, disks, or other storage devices).

The operations described in this document can be implemented asoperations performed by a data processing apparatus on data stored onone or more computer-readable storage devices or received from othersources. The term “data processing apparatus” encompasses all kinds ofapparatus, devices, and machines for processing data, including by wayof example a programmable processor, a computer, a system on a chip, ormultiple ones, or combinations, of the foregoing. The apparatus caninclude special purpose logic circuitry, e.g., an FPGA (fieldprogrammable gate array) or an ASIC (application-specific integratedcircuit). The apparatus can also include, in addition to hardware, codethat creates an execution environment for the computer program inquestion, e.g., code that constitutes processor firmware, a protocolstack, a database management system, an operating system, across-platform runtime environment, a virtual machine, or a combinationof one or more of them. The apparatus and execution environment canrealize various different computing model infrastructures, such as webservices, distributed computing and grid computing infrastructures.

A computer program (also known as a program, software, softwareapplication, script, or code) can be written in any form of programminglanguage, including compiled or interpreted languages, declarative orprocedural languages, and it can be deployed in any form, including as astand-alone program or as a module, component, subroutine, object, orother unit suitable for use in a computing environment. A computerprogram may, but need not, correspond to a file in a file system. Aprogram can be stored in a portion of a file that holds other programsor data (e.g., one or more scripts stored in a markup languagedocument), in a single file dedicated to the program in question, or inmultiple coordinated files (e.g., files that store one or more modules,sub-programs, or portions of code). A computer program can be deployedto be executed on one computer or on multiple computers that are locatedat one site or distributed across multiple sites and interconnected by acommunication network.

The processes and logic flows described in this document can beperformed by one or more programmable processors executing one or morecomputer programs to perform actions by operating on input data andgenerating output. The processes and logic flows can also be performedby, and apparatus can also be implemented as, special purpose logiccircuitry, e.g., an FPGA (field programmable gate array) or an ASIC(application-specific integrated circuit).

Processors suitable for the execution of a computer program include, byway of example, both general and special purpose microprocessors, andany one or more processors of any kind of digital computer. Generally, aprocessor will receive instructions and data from a read-only memory ora random access memory or both. The essential elements of a computer area processor for performing actions in accordance with instructions andone or more memory devices for storing instructions and data. Generally,a computer will also include, or be operatively coupled to receive datafrom or transfer data to, or both, one or more mass storage devices forstoring data, e.g., magnetic, magneto-optical disks, or optical disks.However, a computer need not have such devices. Moreover, a computer canbe embedded in another device, e.g., a mobile telephone, a personaldigital assistant (PDA), a mobile audio or video player, a game console,a Global Positioning System (GPS) receiver, or a portable storage device(e.g., a universal serial bus (USB) flash drive), to name just a few.Devices suitable for storing computer program instructions and datainclude all forms of non-volatile memory, media and memory devices,including by way of example semiconductor memory devices, e.g., EPROM,EEPROM, and flash memory devices; magnetic disks, e.g., internal harddisks or removable disks; magneto-optical disks; and CD-ROM and DVD-ROMdisks. The processor and the memory can be supplemented by, orincorporated in, special purpose logic circuitry.

To provide for interaction with a user, embodiments of the subjectmatter described in this document can be implemented on a computerhaving a display device, e.g., a CRT (cathode ray tube) or LCD (liquidcrystal display) monitor, for displaying information to the user and akeyboard and a pointing device, e.g., a mouse or a trackball, by whichthe user can provide input to the computer. Other kinds of devices canbe used to provide for interaction with a user as well; for example,feedback provided to the user can be any form of sensory feedback, e.g.,visual feedback, auditory feedback, or tactile feedback; and input fromthe user can be received in any form, including acoustic, speech, ortactile input. In addition, a computer can interact with a user bysending documents to and receiving documents from a device that is usedby the user, for example, by sending web pages to a web browser on auser's client device in response to requests received from the webbrowser.

Embodiments of the subject matter described in this document can beimplemented in a computing system that includes a back-end component,e.g., as a data server, or that includes a middleware component, e.g.,an application server, or that includes a front-end component, e.g., aclient computer having a graphical user interface or a Web browserthrough which a user can interact with an implementation of the subjectmatter described in this document, or any combination of one or moresuch back-end, middleware, or front-end components. The components ofthe system can be interconnected by any form or medium of digital datacommunication, e.g., a communication network. Examples of communicationnetworks include a local area network (“LAN”) and a wide area network(“WAN”), an inter-network (e.g., the Internet), and peer-to-peernetworks (e.g., ad hoc peer-to-peer networks).

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other. In someembodiments, a server transmits data (e.g., an HTML page) to a clientdevice (e.g., for purposes of displaying data to and receiving userinput from a user interacting with the client device). Data generated atthe client device (e.g., a result of the user interaction) can bereceived from the client device at the server.

While this document contains many specific implementation details, theseshould not be construed as limitations on the scope of any inventions orof what may be claimed, but rather as descriptions of features specificto particular embodiments of particular inventions. Certain featuresthat are described in this document in the context of separateembodiments can also be implemented in combination in a singleembodiment. Conversely, various features that are described in thecontext of a single embodiment can also be implemented in multipleembodiments separately or in any suitable subcombination. Moreover,although features may be described above as acting in certaincombinations and even initially claimed as such, one or more featuresfrom a claimed combination can in some cases be excised from thecombination, and the claimed combination may be directed to asubcombination or variation of a subcombination.

Similarly, while operations are depicted in the drawings in a particularorder, this should not be understood as requiring that such operationsbe performed in the particular order shown or in sequential order, orthat all illustrated operations be performed, to achieve desirableresults. In certain circumstances, multitasking and parallel processingmay be advantageous. Moreover, the separation of various systemcomponents in the embodiments described above should not be understoodas requiring such separation in all embodiments, and it should beunderstood that the described program components and systems cangenerally be integrated together in a single software product orpackaged into multiple software products.

Thus, particular embodiments of the subject matter have been described.Other embodiments are within the scope of the following claims. In somecases, the actions recited in the claims can be performed in a differentorder and still achieve desirable results. In addition, the processesdepicted in the accompanying figures do not necessarily require theparticular order shown, or sequential order, to achieve desirableresults. In certain implementations, multitasking and parallelprocessing may be advantageous.

1-20. (canceled)
 21. A method for applying security policies to virtualmachines, the method comprising: to detect a security threat, performinga security service on a virtual machine (VM) that operates based on afirst set of network connectivity settings; after detecting the securitythreat, associating a tag with the VM; based on the tag, assigning tothe VM a second set of network connectivity settings that is morerestricted than the first set of network connectivity settings; andafter resolution of the security threat, removing the association of thetag with the VM and assigning the first set of network connectivitysettings to the VM.
 22. The method of claim 21, wherein performing thesecurity service on the VM comprises scanning the VM for viruses. 23.The method of claim 22 further comprising assigning the VM to aquarantine group until the virus has been removed.
 24. The method ofclaim 23, wherein the VM is a first VM, any VM assigned to thequarantine group has reduced network connectivity, and the first VM isremoved from the quarantine group once the virus has been removed. 25.The method of claim 21, wherein the second set of network connectivitysettings comprise a network firewall setting that allows no networkaccess to the VM.
 26. The method of claim 21 further comprisingdetecting a login event on the VM; and determining, based on thedetected login event, that the security service has to be performed onthe VM.
 27. The method of claim 26, wherein detecting the login eventcomprises determining that the login event is associated with a usermembership group, and the determination to perform the security serviceis based on the login event being associated with the user membershipgroup.
 28. A method for applying security policies to virtual machines(VMs), the method comprising: receiving through a user interface data tocreate a first security container to associate with the VMs; definingthe first security container and specifying a first set of networkconnectivity settings for the VMs associated with the first securitycontainer; associating the first security container with a securityservice that is to be performed on any VM associated with the firstsecurity container to detect a security condition on the VM; anddefining a second security container to associate with any VM with thedetected security condition, and specifying a reduced, second set ofnetwork connectivity settings for any VM associated with the secondsecurity container.
 29. The method of claim 28 further comprising:assigning a first VM to the first security container; based on theassignment, performing the security service on the first VM to determinewhether the security condition exists on the first VM.
 30. The method ofclaim 28, wherein associating a VM with the second security containerremoves the VM's association with the first security container.
 31. Themethod of claim 28, wherein a first VM is assigned to the first securitycontainer upon a login event on the first VM.
 32. The method of claim31, wherein the login event is associated with a user membership group.33. The method of claim 28 further comprising specifying a rule thatrequires a VM to be removed from the second security container and addedto the first security container once a security condition on the VM hasbeen resolved.
 34. The method of claim 28, wherein the security servicescans a first security container VM for viruses.
 35. The method of claim28, wherein the second set of network connectivity settings comprise anetwork firewall setting that restricts network connectivity of any VMassociated with the second security container.
 36. The method of claim28 further comprising: providing a security manager to specify securitycontainers, to associate VMs with tags, and to specify tag-based rulesfor moving VMs between security containers based on the VMs associationwith tags; and providing network security enforcers to enforce networksecurity settings to VMs based on the VMs associated securitycontainers.
 37. A non-transitory machine readable medium storing aprogram for applying security policies to virtual machines, the programfor execution by at least one processing unit, the program comprisingsets of instructions for: to detect a security threat, performing asecurity service on a virtual machine (VM) that operates based on afirst set of network connectivity settings; after detecting the securitythreat, associating a tag with the VM; based on the tag, assigning tothe VM a second set of network connectivity settings that is morerestricted than the first set of network connectivity settings; andafter resolution of the security threat, removing the association of thetag with the VM and assigning the first set of network connectivitysettings to the VM.
 38. The non-transitory machine readable medium ofclaim 37, wherein the program further comprises a set of instructionsfor assigning the VM to a quarantine group until the virus has beenremoved.
 39. The non-transitory machine readable medium of claim 37,wherein the second set of network connectivity settings comprise anetwork firewall setting that allows no network access to the VM. 40.The non-transitory machine readable medium of claim 37, wherein theprogram further comprises sets of instructions for: detecting a loginevent on the VM; and determining, based on the detected login event,that the security service has to be performed on the VM.
 41. Thenon-transitory machine readable medium of claim 37, wherein the set ofinstructions for detecting the login event comprises a set ofinstructions for determining that the login event is associated with auser membership group, and the determination to perform the securityservice is based on the login event being associated with the usermembership group.